unofficial mirror of guix-patches@gnu.org

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
 Fix CVE-2018-6360:

https://github.com/mpv-player/mpv/issues/5456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
https://security-tracker.debian.org/tracker/CVE-2018-6360

Patch copied from upstream source repository:

https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43

To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4
checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available
for the 0.28.0 release. So it should be safe to remove hunk #4.

From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001
From: Ricardo Constantino <wiiaboo@gmail.com>
Date: Fri, 26 Jan 2018 01:19:04 +0000
Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from
 youtube-dl

Not very clean since there's a lot of potential unsafe urls that youtube-dl
can give us, depending on whether it's a single url, split tracks,
playlists, segmented dash, etc.
---
 player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 47 insertions(+), 7 deletions(-)

diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
index dd96ecc01d..b480c21625 100644
--- a/player/lua/ytdl_hook.lua
+++ b/player/lua/ytdl_hook.lua
@@ -16,6 +16,18 @@ local ytdl = {
 
 local chapter_list = {}
 
+function Set (t)
+    local set = {}
+    for _, v in pairs(t) do set[v] = true end
+    return set
+end
+
+local safe_protos = Set {
+    "http", "https", "ftp", "ftps",
+    "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",
+    "data"
+}
+
 local function exec(args)
     local ret = utils.subprocess({args = args})
     return ret.status, ret.stdout, ret
@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, is_live, base)
 
     for i = offset, #fragments do
         local fragment = fragments[i]
+        if not url_is_safe(join_url(base, fragment)) then
+            return nil
+        end
         table.insert(parts, edl_escape(join_url(base, fragment)))
         if fragment.duration then
             parts[#parts] =
@@ -208,6 +223,15 @@ local function proto_is_dash(json)
            or json["protocol"] == "http_dash_segments"
 end
 
+local function url_is_safe(url)
+    local proto = type(url) == "string" and url:match("^(.+)://") or nil
+    local safe = proto and safe_protos[proto]
+    if not safe then
+        msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
+    end
+    return safe
+end
+
 local function add_single_video(json)
     local streamurl = ""
     local max_bitrate = 0
@@ -238,14 +264,18 @@ local function add_single_video(json)
             edl_track = edl_track_joined(track.fragments,
                 track.protocol, json.is_live,
                 track.fragment_base_url)
+            local url = edl_track or track.url
+            if not url_is_safe(url) then
+                return
+            end
             if track.acodec and track.acodec ~= "none" then
                 -- audio track
                 mp.commandv("audio-add",
-                    edl_track or track.url, "auto",
+                    url, "auto",
                     track.format_note or "")
             elseif track.vcodec and track.vcodec ~= "none" then
                 -- video track
-                streamurl = edl_track or track.url
+                streamurl = url
             end
         end
 
@@ -264,7 +294,13 @@ local function add_single_video(json)
 
     msg.debug("streamurl: " .. streamurl)
 
-    mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
+    streamurl = streamurl:gsub("^data:", "data://", 1)
+
+    if not url_is_safe(streamurl) then
+        return
+    end
+
+    mp.set_property("stream-open-filename", streamurl)
 
     mp.set_property("file-local-options/force-media-title", json.title)
 
@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
                         site = entry["webpage_url"]
                     end
 
-                    if not (site:find("https?://") == 1) then
-                        site = "ytdl://" .. site
+                    -- links with only youtube id as returned by --flat-playlist
+                    if not site:find("://") then
+                        table.insert(playlist, "ytdl://" .. site)
+                    elseif url_is_safe(site) then
+                        table.insert(playlist, site)
                     end
-                    table.insert(playlist, site)
 
                 end
 
-                mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
+                if #playlist > 0 then
+                    mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
+                end
             end
 
         else -- probably a video
-- 
2.16.1